Ad

UrlRewriteFilter Redirects To Wrong Login.html Page With FORM Authentication

I have a webapp setup in Tomcat 7 that needs to leverage form-based security. This webapp also uses org.tuckey.web.filters.urlrewrite.UrlRewriteFilter to rewrite URLs.

For reference, here's the relevant portion of the web.xml file in my webapps/.../WEB-INF directory:

<security-role>
   <role-name>foo.pr</role-name>
</security-role>

<security-constraint>
   <display-name>Security Constraint</display-name>
   <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/*</url-pattern>
      <!-- If you list http methods, only those methods are protected -->
   </web-resource-collection>
   <auth-constraint>
      <!-- Anyone with one of the listed roles may access this area -->
      <role-name>all.foo</role-name>
   </auth-constraint>
  <!-- <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint> -->
</security-constraint>

 <login-config>
   <auth-method>FORM</auth-method>
   <realm-name>Authentication</realm-name>
  <form-login-config>
     <form-login-page>/login.html</form-login-page>
     <form-error-page>/error.html</form-error-page>
  </form-login-config>
</login-config>

<filter>
  <filter-name>UrlRewriteFilter</filter-name>
  <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
  <init-param>
    <param-name>confReloadCheckInterval</param-name>
    <param-value>60</param-value> <!-- -1, 0, or something like 60 -->
  </init-param>
  <init-param>
    <param-name>logLevel</param-name>
    <param-value>INFO</param-value>
  </init-param>
  <init-param>
    <param-name>statusEnabledOnHosts</param-name>
    <param-value>localhost, 192.168.188.*</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>UrlRewriteFilter</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>FORWARD</dispatcher>
</filter-mapping>

When I try to access the webapp, the security is bypassed, and the login.html file is passed through the UrlRewriteFilter. I don't want this behavior; I want it to get the login.html file that is in webapps/ROOT.

Any guidance on this would be really appreciated. I may be misunderstanding something fundamental. If you need to see any other files, please let me know.

Thanks in advance!

Ad

Answer

Well, although this isn't the perfect answer, it solved my issue.

I struggled for quite awhile to figure out how to have the user go to the login.html file before the URL was rewritten, but I couldn't figure it out. So what I did instead is I added an exception for the login.html file and error.html files in the URLRewriter configuration file so that they aren't re-written.

I'd still rather have the web app send the user to the security rather than to the filter, but I'll take what I can get.

Ad
source: stackoverflow.com
Ad